2 comments

The problem with most providers is that they keep the actual passwords on their servers. Even if these may be encrypted, there is a chance that they can be read and spied upon. However, to achieve a secure login with passwords a credentials, no passwords need to be kept for comparison! All you need is calculate the so-called hash (kind of a checksum) of a password and ONLY store the hash. Then when a user tries to log in, they type their password but not the password itself is compared but the hash is calculated and compared to the hash stored. If both match, login is successful, if not, then no login. If someone steals these hashes though they cannot use them as credentials, as the hashes are neither the passwords nor can a password be reversely engineered from a hash – it only works one way.